Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The safe_join() function in the essential_abilities extension fails to validate that resolved file paths remain within the designated agent workspace. An authenticated attacker can use directory traversal sequences to read, write, or delete arbitrary files on the server hosting the AGiXT instance.
Details
agixt/endpoints/Extension.py:165 (source) -> agixt/XT.py:1035 (hop) -> agixt/extensions/essential_abilities.py:436 (sink)
# source
command_args = command.command_args
# hop
response = await Extensions(...).execute_command(command_name=command_name, command_args=command_args)
# sink
new_path = os.path.normpath(os.path.join(self.WORKING_DIRECTORY, *paths.split("/")))PoC
# tested on: agixt<=1.9.1
# install: pip install agixt==1.9.1
import requests
BASE = "http://localhost:7437"
TOKEN = "<your_api_key>"
headers = {"Authorization": f"Bearer {TOKEN}"}
payload = {
"command_name": "read_file",
"command_args": {
"filename": "../../etc/passwd"
}
}
r = requests.post(f"{BASE}/api/agent/MyAgent/command", json=payload, headers=headers)
print(r.text)
# expected output: root:x:0:0:root:/root:/bin/bash ...Impact
Authenticated users can read, overwrite, or delete arbitrary files on the host server, enabling credential theft, persistent code execution, or denial of service. Authentication is required but no elevated privileges are needed beyond a valid API key.
AnalysisAI
Path traversal in AGiXT Python package (versions ≤1.9.1) allows authenticated attackers to read, write, or delete arbitrary files on the host server. The essential_abilities extension's safe_join() function fails to validate that resolved paths remain within the agent workspace directory, enabling directory traversal sequences (e.g., ../../etc/passwd) to bypass intended file access restrictions. Exploitation requires low-privilege authentication (valid API key) but no user interaction. Public exploit code exists demonstrating /etc/passwd disclosure via the read_file command endpoint.
Technical ContextAI
Root cause: improper path validation in safe_join() at agixt/extensions/essential_abilities.py:436. os.path.normpath(os.path.join(WORKING_DIRECTORY, *paths.split('/'))) evaluates directory traversal sequences before boundary enforcement, enabling CWE-22 path traversal. Attack flow: authenticated API request → Extension.py:165 command_args → XT.py:1035 execute_command → vulnerable sink normalizes attacker-controlled path outside workspace.
RemediationAI
Vendor-released patch: AGiXT version 1.9.2 remediates this vulnerability. Upgrade immediately via 'pip install --upgrade agixt==1.9.2' or later. The fix enforces canonical path validation ensuring resolved paths remain within WORKING_DIRECTORY boundaries before filesystem operations. Official release announcement: https://github.com/Josh-XT/AGiXT/releases/tag/v1.9.2. Workaround (if upgrade infeasible): disable essential_abilities extension or restrict /api/agent/*/command endpoint to trusted authentication tokens only. Review server logs for suspicious filename patterns containing '../' sequences. Full vendor advisory with technical details: https://github.com/Josh-XT/AGiXT/security/advisories/GHSA-5gfj-64gh-mgmw. No temporary mitigation eliminates risk; patching to 1.9.2+ is the only complete remediation.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20974
GHSA-5gfj-64gh-mgmw